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Based on quantum encryption, we present a new idea for quantum public-key cryptography 
(QPKC) and construct a whole theoretical framework of a QPKC system. We show that the 
quantum-mechanical nature renders it feasible and reasonable to use symmetric keys in such a 
scheme, which is quite different from that in conventional public-key cryptography. The security of 
our scheme is analyzed and some features are discussed. Furthermore, the state-estimation attack 
to a prior QPKC scheme is demonstrated. 



PACS numbers: 03.67.Dd, 03.67.Hk, 03.65.Ud 
I. INTRODUCTION 

In the 197Gs, the concept of public-key cryptography 
(PKC), also called asymmetric cryptography, was pro- 
posed [l|, [3| • It represented the radical revision of cryp- 
tographic thinking and transformed the world of infor- 
mation security. Before the appearance of PKC, the tool 
for keeping the secrecy of communications was symmetric 
cryptography, where two parties involved in the commu- 
nication must previously share a sequence of secret bits 
(i.e., the key) to encrypt and decrypt the message. In 
this condition how to securely distribute such a key be- 
tween the users becomes an intractable problem. On the 
contrary, in PKC there are two different keys e and d 
(this is the reason why it is also known as asymmetric 
cryptography), called the public key and the private key 
respectively. Just as their names imply, e would be pub- 
lished and anyone can access it freely, whereas d is only 
known to its owner. As described by Rivest, Shamir, and 
Adleman when they presented the famous RSA scheme 
0, a PKC system generally satisfies the following four 
conditions: (CI) A message encrypted with e can be cor- 
rectly decrypted with d; (C2) Both the encryption and 
the decryption are easy to compute; (C3) It is difficult to 
compute d from the public e; (C4) A message encrypted 
with d can also be correctly decrypted with e. Armed 
with these properties, PKC can be conveniently utilized 
by users, who do not need previously share a secret key 
anymore. Therefore, PKC can resolve the difficulty of 
key distribution in symmetric cryptography, and then the 
latter can be used to encrypt the messages. This kind 
of hybrid cryptosystem is generally used in our practi- 
cal implementations. Furthermore, PKC is also the most 
suitable choice for another important application of cryp- 
tography, that is, digital signature 

The security of PKC lies on computational complex- 
ity assumptions, which is reflected by the condition (C3). 
Equivalently, the reliability of a PKC scheme is based on 
certain mathematically difficult problems such as integer 
factorization, discrete logarithm, etc. However, most of 



such problems are not difficult in the context of quantum 
computation anymore 

UM- As a result, most of PKC 
schemes will be broken by future quantum computer. It 
is natural to ask, at that time, what is the substitution for 
PKC to distribute a key? One possible way is to exploit 
quantum mechanics, which is called quantum key distri- 
bution (QKD) or quantum cryptography QKD has 
a unique property, that is, the potential eavesdropping 
would be exposed by the users, and consequently it can 
achieve unconditional security in theory. This security is 
assured by fundamental principles in quantum mechanics 
instead of hardness of computational problems. 

In fact, QKD can only realize one application of PKC, 
i.e., key distribution. But about digital signature, the 
other important application, what can we do? Obviously 
we do not want to give up the significant flexibility of 
PKC even in the era of quantum computer. To this end 
the research is progressing along two directions. One is 
to look for difficult problems under quantum coniputa- 
tion (especially the existing quantum algorithms 0, [E|) 
and construct PKC based on them 0, BH, ESl- In these 
schemes the key is still composed of classical bits, and it 
follows that the flexibility of PKC is retained. But the 
fact that their security lies on unproved computational 
assumptions is unchanged. For simplicity, we call this 
kind of cryptosystems the first class of quantum PKC 
(QPKC class I). The other direction pursues PKC with 
perfect security by adding more quantum elements in the 
schemes, which is just like that of QKD [HI, [l^]- In these 
schemes the security is assured by physical laws instead 
of unproved assumptions. However, the keys generally 
contain qubits, which are, at least within current tech- 
niques, more difficult to deal with, and then the flexibil- 
ity of PKC would be reduced to some extent. We call 
these cryptosystems the second class of quantum PKC 
(QPKC class II). In our opinion, both classes of QPKC 
are of significance for the future applications. Class I is 
more practical, whereas class II is more ideal and still 
needs more related researches. In this paper we study 
the latter. 
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Recently, G. M. Nikolopoulos presented a novel QPKC 
scheme (GMN scheme) based on single-qubit rotations 
[ll| . In this scheme the public key consists of polarization 
qubits. Each qubit is generated by rotating a standard 
state |0) by a random angle. All these angles (represented 
by bits) form the corresponding private key. According 
to Holevo's theorem [l^, little information can be elicited 
by measuring these qubits even when many copies of pub- 
lic key are served, which is far from obtaining the exact 
value of the corresponding private key. This basic idea is 
similar to the one proposed by Gottesman [T^ . 

In this paper we will point out a potential security 
problem in GMN scheme, and propose a new theoreti- 
cal framework for QPKG based on quantum encryption 
[3, [Hj [3 ■ In our scheme two qubits from a Bell state 
serve as the public key and the private key respectively. 
Because both qubits are in the maximally mixed state, we 
actually construct a quantum asymmetric cryptosystem 
with symmetric keys, which seems unbelievable in con- 
ventional cryptography. It is the quantum nature that 
renders this interesting thing feasible. Furthermore, the 
security of this scheme is guaranteed by physical laws in 
quantum mechanics. This paper is arranged as follows. 
In Section II, we discuss the security issue of previous 
idea of QPKC. Our new scheme is presented in Section 
III and its security is analyzed in Section IV. Finally some 
features of our scheme are discussed and conclusions are 
drawn in Section V. 



II. A SECURITY ISSUE IN PREVIOUS QPKC 

Let us briefly describe the preparation of the keys in 
GMN scheme first. The user, say Bob, randomly chooses 
an integer n, and then chooses N integers si, S2, sn 
from Z2I1 independently, which compose an integer string 
s = {si, S2, sn)- After that Bob generates N single 
qubits in the states {'R^j'' {sj9.n)\0)}, where 1 < j < iV, 
On = 7r/2"^^ and TZ is the rotation operation. It can 
be seen that these qubits are in one-to-one correspon- 
dence with all the integers in s. The private key is 
d = {n,s}, and the public key is e = {N, |*i^^^(6'„))}, 

where \^i^^\On)) represents the state of the sequence 
of all above N qubits. 

As analyzed in Ref. [ll[, the entropy of the private 
key is relatively high when n ^ 1, and becomes higher 
with the increasing of n. On the contrary, if an eaves- 
dropper, say Eve, wants to extract information about the 
private key by measuring the public key (i.e. the qubits), 
she can only obtain limited information. The obtainable 
information is bounded by Holevo quantity [l^l, which 
totally depends on the number of the qubits being mea- 
sured. Therefore, it seems like that as long as n is large 
enough Bob can release many copies of his public key 
without losing the confidentiality of his private key (see 
Eq.(3b) in Ref.fn^). 

From theoretical point of view, above conclusion is 



undoubtedly right. However, when the security of the 
QPKC system is concerned, the publication of multiple 
copies of public key would give Eve the chance to attack. 
In fact, though knowing the private key makes the eaves- 
dropping very easy in QPKC, Eve's ultimate aim is to 
obtain the encrypted message (i.e. the plaintext) instead 
of the private key. Consequently, a straightforward strat- 
egy for Eve arises, that is, trying to estimate the private 
key to certain accuracy by measuring the public key and 
using the result to obtain plaintext from the ciphertext. 

Now we show what Eve can obtain by above strategy. 
To see the particular accuracy to which Eve can estimate 
the private key, we can use some results in the research 
of state estimation [13, HI, [H ■ In GMN scheme, all the 
single-qubit states lie on the x-z plane of Bloch sphere. 
In this condition by optimal collective measurements the 
obtainable fidelity between the estimation result and the 
object state is [l^, [3 

where M denotes the number of copies of the object state. 
That is to say, if Eve has M identical unknown states \tl>) 
on the x-z plane, she can obtain a known state lip ) so 
that 

M^')\' = F (2) 

It can be see that the guessed state \4> ) will be very close 
to the object state \tp) when M is large. 

Suppose Eve can get K public keys in GMN scheme. 
Without loss of generality, we take one state \ips-) as 
our example. In this condition Eve has K identical 
qubits in this state. Thus she can obtain a guessed 
state iV'sj) by optimal collective measurements so that 

KV's.lV'lJp ~ 1 - 1/{4,K). Note that here state 
is known to Eve and it means an approximate value of 
the integer Sj in the private key. As a result. Eve can 
construct a measurement basis Bg^ = {IV'sj)? IV's^)} ^-nd 
measure any single qubit in it (lipsf) the state orthog- 
onal with \tl)g.)). In the following we will show that this 
basis brings Eve the chance to extract information of the 
plaintext. 

In the process of encryption the sender (say Alice) will 
get a copy of Bob's public key, and use the qubit in state 
\ips -) to encrypt the jth bit of her plaintext rrij (rrij =0 or 
1). The corresponding ciphertext is the quantum state 
TZ^ {mjTT)\'il)sj), which implies that the plaintext and 
1 will be encrypted into the ciphertext \tpsj) and 
respectively. Thus Eve can intercept the ciphertext sent 
by Alice and measure it in the basis Bs^ , concluding the 
results \ipsj) and |V's^) represent the plaintext and 1 
respectively. Since lip^.) and lips-) might be very close 
on the Bloch sphere. Eve will obtain the correct plaintext 
rrij with a high probability, i.e. Pc = F. Equivalently, 
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should be paid attention to in QPKC schemes including 
Refs. [iTI. [T3|. As a result, the state-estimation attack 
is still of significance when the security of QPKC is con- 
cerned in future research. 



III. QPKC BASED ON QUANTUM 
ENCRYPTION 



FIG. 1: Mutual information I (A, E) and error probability 
Pe as functions of the amount of the public key K. The 
horizontal axis represents the values of K. The upper line 
and the lower line indicate I{A,E) and Pe, respectively. 



the amount of the information Eve can obtained about 
rrij equals 



I{A,E) = H{A)-H{A\E) 
= 1 - 2[FlogF+ (1 



^^)log(l-F)] (3) 



where A and E represent Alice and Eve respectively, and 
/(A, E) denotes the mutual information between them. 

Thou gh t he detection of eavesdropping is not involved 
m Ref. nj, we has to consider the disturbance brought 
by Eve's intervention in view of its importance in quan- 
tum cryptography. In above attack, to avoid being dis- 
covered by Alice and Bob, Eve can resend her measure- 
ment result IV's ) or IV's"'") to Bob after the measurement. 
In this condition an error occurs with the probability 



Pe = 2F(1 - F) 



(4) 



Here "error" means the case where the bit sent by Alice 
is different from the one received by Bob. 

From Eqs.(3) and (4) it can be seen that Eve can obtain 
nearly all the plaintext and, at the same time, introduce 
few errors when K is large (please see Tab.l and Fig.l 
for details). 

Tab.l: The values of I{A,E) and Pe with different K. 







K^20 


K^50 


K^lOO 


J<=1000 


I{A,E) 


0.6627 
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0.9933 


Pe 


0.0488 


0.0247 


0.0100 
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0.0005 



Finally, in Ref. [lH and its very recent Erratum 20] , it 
was pointed out that each bit in the plaintext should be 
encrypted into several or more qubits so that this scheme 
can stand against the SWAP-test attack. In this condi- 
tion our attack strategy may not be so effective either. 
However, as a kind of special strategy to attack QPKC 
system, the state-estimation attack seems more straight- 
forward and practical than the SWAP-test attack. The 
basic idea of our attack, i.e., estimating the state in pub- 
lic key by measurements and then trying to decrypt the 
ciphertext instead of to recover the particular private key. 



From above discussion we can see that the model of 
key generation in previous QPKC schemes may be vul- 
nerable to the state-estimation attack. More concretely, 
though Eve cannot obtain the exact private key by mea- 
suring multiple copies of the public key, she can still get 
an approximate private key and then use it to elicit in- 
formation about the plaintext. Therefore, it would be 
desirable to find a new way to generate keys in QPKC. 
Here we will give a scheme using the qubits from Bell 
state as keys, in which, as in almost all existing protocols 
of quantum cryptography, the process of eavesdropping 
detection is introduced and the security is guaranteed by 
it. 

Before the description of our QPKC scheme, it is nec- 
essary to introduce several basic assumptions about this 
system. That is, (Al) there is a believable center (Trent) 
in the QPKC system; (A2) Trent can authenticate ev- 
ery user's identity in the communications between them, 
which can be realized by quantum authentication proto- 
cols [2lj; (A3) the information transmitted in the classi- 
cal channels can be eavesdropped, but cannot be mod- 
ified. These assumptions are reasonable and generally 
accepted in PKC (e.g. Al and A2) and quantum cryp- 
tography (e.g. A3). 

This scheme consists of the following four stages. 

Stage 1: Key generation. Trent generates a pair of 
keys, i.e., the public key e and the private key d, for each 
user. Without loss of generality, consider Bob as our 
example. The particular process is as follows. 

1. Trent prepares a sequence of qubit pairs 5*1 = 
{(pi,gi), (P2,g2), (Pn,gn)}- Each pair is in the Bell 
state 
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(100) + 111)) 



(5) 



Two qubit sequences Sp = {pi,p2, ■■■,Pn} and Sq = 
{^i: 92, 9ra} will be used as Bob's public key and pri- 
vate key, respectively. 

2. To securely transmit Sq to Bob, Trent also generates 
a certain quantity of decoy states Sd — {di, ^2, dfc}, 
where every qubit is randomly in one of the states 
{|0),|l),|+> = j^m + \l)),\-) = 7f(|0)-|l))}. Please 
note that here the meaning of decoy state is somewhat 



different from that, as widely studied now [22|, used 
in the way to resolve the problem of Photon-Number- 
Splitting (PNS) attack in a practical QKD implementa- 
tion. However, the tasks of both kinds of decoy states 
are the same, that is, helping users discover potential at- 
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tacks. We will discuss the role of above decoy states in 
detail in Section IV. 

3. Trent inserts each qubit in Sd into a random position 
of the sequence Sq, obtaining a new qubit sequence Sqd- 
Then Trent sends Sqd to Bob via a quantum channel. 

4. After Bob received all these qubits, Trent tells Bob 
the position and the basis (i.e. = {|0), |1)} or = 
{|+); l~)}) of each decoy state. 

5. Bob measures all decoy states in their corresponding 
bases, and then announces the measurement results to 
Trent. By comparing these results with the initial states 
of these qubits, Trent can judge whether the transmitted 
sequence is disturbed. 

6. If no eavesdropping occurs. Bob obtains his pri- 
vate key d, i.e. the sequence Sq. At the same time, 
Trent stores Bob's public key e, i.e. Sp, for future usage. 
Otherwise the communication may be insecure and will 
abort. 

In the following stages we can see that the keys might 
be not enough for encrypting a long message, or be con- 
sumed gradually. But whenever it is not enough to be 
used, Trent can generate new Bell-state pairs to refuel 
the keys. 

Stage 2: Encryption. Suppose a user, say Alice, wants 
to send an r-bit message m = {toi, 77i2, mr} to Bob, 
where = or 1, and r < n. Then Alice can encrypt 
it according to the following steps. 

1. Alice requests Trent to send her r qubits of Bob's 
public key. 

2. Trent sends the first r qubits of the sequence Sp to 
Alice. Here we use Sp to denote this part of sequence, 
i.e. Sp = {pi,p2, ...,Pr}. Similar to that in Stage 1, Trent 
also utilizes decoy states so that these qubits are securely 
transmitted to Alice. 

3. Alice generates an r-qubit sequence L = 
{li,l2, ■■■Jr} with states {|mi), |m2), Im^)} respec- 
tively, which corresponds to her message to be encrypted. 

4. Alice encrypts her message L with the public key Sp. 
More concretely, Alice uses one qubit in Sp to encrypt 
her corresponding message qubit via a CNOT operation. 
For example, to encrypt \li), Alice performs a CNOT gate 
Cp-i- (the first subscript pi denotes the controller and the 
second U represents the target) on qubits pi and li, that 
is 

v2 

where rrii = 1 — rrii. 

5. After the encryption of all her message qubits, Alice 
sends the sequence L (the ciphertext) to Bob through a 
quantum channel. 

Stage 3: Decryption. After Bob received all these 
qubits, he can execute the following steps to recover the 
message m. 

1. For each qubit in the ciphertext L, Bob performs 
a CNOT operation Cq^i^ to decrypt it. Then the state 



changes into 

C,./.-i=(|00m,) + \llm,))p^q^u = \^^)p.q,\Tn,)u (7) 

2. Bob measures each qubit in L in basis B^. From 
Eq.(7) we can see that the measurement results exactly 
compose the message m. Thus the message sent by Alice 
is recovered and the decryption is finished. 

Stage 4- Key recycling. There is a good property in 
the above communication, that is, the states of Bob's 
keys are still unchanged after the processes of encryp- 
tion and decryption. Therefore, the keys can be recycled 
according to the following steps. 

1. Alice sends Bob's public key, i.e. the qubit sequence 
S^ to Trent. 

2. To ensure the security of these recycled key qubits, 
Trent randomly selects a certain number of them from 
Sp as the test qubits, and measures each of them in Bz 
or Bx at random. 

3. Trent tells Bob the position and the measurement 
basis of each test qubit. 

4. Bob measures his corresponding qubits in the same 
bases and announces his results. Because every two cor- 
responding qubits in two keys should be in Bell state 
|$+), the measurement results would exhibit determin- 
istic correlations. For example, they are equal in the 
measurement in both bases B^ and B^. 

5. By comparing their measurement results Trent can 
judge whether these qubits are attacked. If they are not, 
Trent and Bob store the remaining qubits to refuel the 
public key and the private key. Otherwise the recycled 
key qubits would be discarded. 

Now we have described the QPKC scheme based on 
quantum encryption. It can be seen that both the qubits 
in public key and the ones in private key come from Bell 
state 1$^), and are in the same state (i.e. the maximally 
mixed state p = 1/2(|0)(0| + |1)(1|)). Therefore, an in- 
teresting event happens. That is, this QPKC scheme es- 
sentially use a pair of symmetric keys. In fact the basic 
idea of this scheme is similar to that of quantum Vernam 
cipher [23j . In conventional cryptography, as we know, 
the Vernam cipher (i.e. one-time pad) [23 ] can never be 
used in PKC because its decryption key and encryption 
key are equal, and they can be copied at will. But in the 
quantum context things become totally different. That 
is, one cannot obtain the decryption key (i.e. private key) 
by replicating a copy of the encryption key (i.e. public 
key) even though they are in the same state, which is 
guaranteed by quantum no-cloning theorem |25| . 

Finally, about this QPKC scheme, there are some is- 
sues to be clarified. 

1. In fact the public key obtained by Alice is a sub- 
sequence of Sp. After Ahce received these qubits, it is 
necessary for Trent to tell Bob which sub-sequence of Sp 
was sent to Alice so that Bob can use his corresponding 
qubits to decrypt Alice's ciphertext. By this way Bob can 
correctly decrypt every ciphertext even though there are 
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multiple ciphertexts received simultaneously from differ- 
ent senders. 

2. In above description Alice and Bob do not de- 
tect the potential eavesdropping to the ciphertext, which 
may happen when it was transmitted in the channel. 
As we will show in Section IV, Eve cannot obtain the 
message from the ciphertext. But she can still do a 
denial-of-service (DoS) attack to disturb the communi- 
cation [2^, [231 ■ To enable Alice and Bob to discover this 
kind of attack, the method of message authentication can 
be introduce to this scheme. For example, when Alice 
wants to send message m to Bob, she computes the mes- 
sage digest H{m) via a pubHc Hash function (e.g. MD5, 
SHA-1, etal.) Q first, and then sends both m and H{m) 
to Bob by above QPKC system. Thus after Bob received 
the corresponding two parts m! and H'{m) he can detect 
eavesdropping by verifying whether H' {m) is the message 
digest of m'. By this means Alice and Bob can discover 
the eavesdropping to the ciphertext. 

3. Till now we have not consider the noise in quantum 
channels. As we know, quantum state will change be- 
cause of the unavoidable decoherence in a noisy channel. 
In this condition, the technologies of entanglement pu- 
rification [2^, [2^ and quantum privacy amplification [30j 
can be introduced in this scheme to improve the quality 
of the Bell state of these EPR pairs (i.e. the keys) af- 
ter the transmission of one of the keys. Therefore, our 
QPKC scheme can be used even in a noisy circumstances. 



IV. SECURITY ANALYSIS 

In a QPKC system the aim of Eve is to obtain Bob's 
private key, which can be used to decrypt the ciphertext, 
or alternatively, obtain the plaintext without the private 
key. Therefore, it must be ensured that the above two 
events cannot occur in a secure QPKC system. The fol- 
lowing discussions will be based on this fact. 

In above QPKC scheme some familiar and reliable 
manners are utilized to guarantee its security. For exam- 
ple, BB84-type qubits [31| are used as the decoy states 
to protect the transmitted sequence, and conjugate-bases 
measurements to identify the state of recycled key qubits. 
Note that in our scheme every public-key qubit is only 
used to encrypt one message bit (or qubit), so there is 
no correlation between different ciphertexts. As a re- 
sult, we have no need to consider the conventional attack 
strategies such as chosen-plaintext attack and chosen- 
ciphertext one. In the following we will briefly discuss the 
security with respect to different stages of this scheme. 

Key generation. In this stage Trent prepares EPR 
pairs in |$^) and sends one qubit in each pair (i.e. the 
sequence Sq) to Bob as his private key. Because Trent is 
believable we only need to consider the attack from an 
outside eavesdropper (Eve). In this process Eve has the 
chance to obtain Bob's private key, with which she can 
decrypt any ciphertext sent to Bob. However, Eve's goal 
will not be achieved because of the usage of decoy states. 



The reasons are as follows. 

First, quantum no-cloning theorem (25j ensures that 
Eve cannot replicate the qubits in the private key. For 
simplicity, consider one EPR pair {pi,qi), where pi is a 
qubit in sequence Sp (public key) and qi is the one in 
Sp (private key). Obviously one cannot generate a new 
qubit gj, a copy of Qi, when Qi is transmitted in the chan- 
nel so that both {pi,qi) and {pi, qi) are in Bell state 
This is guaranteed by fundamental laws in quantum me- 
chanics. This point is very different from that in conven- 
tional PKC systems, in which the private key can never 
be transmitted in the public channel because it is in the 
form of bits and can be easily copied. 

Second, since both the decoy qubits and the private- 
key ones are in the same state, i.e. the maximally mixed 
state p = 1/2(|0)(0| + |1)(1|), these two kinds of qubits 
cannot be distinguished. That is to say, any attack oper- 
ation which is expected to be performed on the private- 
key qubits will be also inevitably executed on the decoy 
ones. As a result, the attack would leave a trace on the 
decoy states and then be discovered by legal users. For 
example. Eve may want to entangle her ancilla into the 
Bell state by a collective operation on it and qubit qi, 
and subsequently use the ancilla to decrypt the cipher- 
text which was encrypted by qi. More concretely. Eve 
prepares an ancilla |0)q, and performs a CNOT opera- 
tion Cq-a when qi is transmitted in the channel. That 
is, 

c,.a-^(|oo) + \n))p^qMa - ^(1000) + |iii))p,,,<,.(8) 

And then resends qi to Bob. When Alice uses pi, the 
corresponding public-key qubit, to encrypt a message bit 
rui , the state of the whole system changes into 

Cp^U ^i\000) +\ni))p^qjm,)i^ 

= -^(|000m,) + |lllm,))p,,^,,,. (9) 

In this condition Eve can correctly obtain jm^) if she 
intercepts li, the ciphertext qubit, when it is transmitted 
to Bob and performs the following operation 

Cai,^i\000m,) +\inm,))p^q^au 

= -^(|000) + |lll)),,,,Jm,)i,,(10) 

which means Eve gets the plaintext m^. 

However, the above attack will bring disturbance to 
the decoy states. For example, consider decoy state |-|-). 
When Alice intercepts it and performs her first CNOT 
operation on it and her ancilla |0), they will come into 
Bell state !$"*"), which results in a totally random result 
when Bob measures the decoy state to detect eavesdrop- 
ping. 

Therefore, the above attack will be inevitably discov- 
ered by Bob and Trent. In fact, BB84-type particles can 
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reliably guarantee the security of a quantum sequence, 
which has been reflected by the proved security of BB84 
protocol [31I, m, [3^ . Equivalently, any effective attack 
will be disclosed by the detection via those particles. 

Encryption. As introduced in Section III, we use sym- 
metric keys in our QPKC scheme. That is, the public 
key and the private one are in the same state. There- 
fore, anyone who has the public key can also decrypt the 
ciphertext encrypted by this key. In this stage Eve has 
the chance to touch the public key when it is transmitted 
from Trent to Alice. However, similar to that in Stage 1, 
Eve can never replicate those qubits and the decoy states 
ensure the security of the public key. Consequently, any 
effective attack on the public key will be discovered by 
legal users. 

Now let us observe what Eve can obtain from the ci- 
phertext when it is transmitted from Alice to Bob. From 
above analysis, it can be seen that Eve cannot elicit any 
helpful information from the transmitted key qubits, in- 
cluding both the public key and the private key, if she 
does not want to bring disturbance to the decoy states. 
In this condition Eve can obtain nothing about the plain- 
text from the ciphertext because all ciphertext qubits are 
in the same state p = 1/2(|0) (0| -I- |1) (1|) in spite of the 
value (0 or 1) of corresponding message bit. 

The classical Hash function is used in this stage. We 
should emphasize that, though Hash functions are not 
perfectly secure (e.g., collisions might be found by some 
advanced algorithms [s^,!!^), it does not decrease the se- 
curity of the whole QPKC system. In this stage, as shown 
above. Eve cannot obtain the plaintext at all. The usage 
of Hash function is just to protect the scheme against 
DoS attack. In fact it plays the role like message authen- 
tication code (MAC). As a result, general Hash functions 
such as MD5, SHA-1, et al. can disclose a potential DoS 
attack. 

Decryption. In this stage Eve has no chance to attack 
because no qubits are transmitted in the channel. After 
Bob obtained the plaintext, he can judge whether DoS 
attack occurred with the help of Hash function. 

Key recycling. In this stage Alice sends the public 
key back to Trent. This situation, as far as Eve is con- 
cerned, is similar to that in the beginning of Stage II. 
But here we should also consider the attack from Alice. 
Because the recycled public-key qubits will be reused in 
later applications where another one (say Charlie) sends 
his message to Bob, Alice can do something for future 
illegal decryption when these qubits are still in her hand. 
For example, Alice can entangle her ancilla into each Bell 
states and use it to decrypt the ciphertext sent by Char- 
lie later (similar to Eve's strategy in Stage 1 and the ones 
inRefs. [3i,[33). 

Taking above threat into account, we have to ensure 
that the states of the public-key qubits Alice sent back 
are unchanged (that is, each qubit is still in Bell state 
l^"*") with its corresponding particle in Bob's hand). In 
our scheme we use the manner of conjugate-bases mea- 
surements to detect eavesdropping, which can resist at- 



tacks from both Eve and Alice. This manner has been 
widely used in quantum cryptography and its reliability 
has been proved [H, [s^. Here we will not repeat the 
analysis any more. 

Finally, it is well known that, in a practical QKD sys- 
tem, Eve may attack only a little part of the transmitted 
particles so that the introduced disturbance will be cov- 
ered up by channel noises. In this case Eve can elicit a 
small amount of information about the key. And at the 
same time, legal users cannot ascertain whether there is 
an eavesdropper in the channel because the error rate 
introduced by Eve is small enough. At that time, the 
users can perform privacy amplification [iol . l4l| on the 
raw key and then obtain a final key with unconditional 
security. In our QPKC scheme, similar problem also ex- 
ists. Eve may attack only a little part of the key qubits 
and then obtain some information about the plaintext. 
In this condition we introduce entanglement purification 
i28, 29] and quantum privacy amplification 30] in our 
scheme, which makes it possible to achieve unconditional 
security in theory. 



V. DISCUSSIONS AND CONCLUSIONS 

Compared with the previous QPKC system (GMN 
scheme) our scheme has the following features. 

1. The roles of public key and private key are equal. 
When Rivest, Shamir, and Adleman presented the fa- 
mous RSA scheme 0, as described in Section I, they 
pointed out four basic conditions which a PKC system 
generally satisfies. Among them the last condition (C4) 
requires that the users can also use private key to en- 
crypt a message and use public key to decrypt it correctly. 
This requirement opens the door for an important appli- 
cation of PKC, i.e. digital signature. But this aim is not 
achieved in GMN scheme. The problem is resolved in 
our scheme because both public key and private key are 
quantum one and in the same state. Therefore, this fea- 
ture makes it possible to construct a quantum signature 
protocol based on our scheme. Of course to design such a 
protocol is a complex work [l^, [4^ and it is beyond the 
scope of this paper. 

2. The manner to verify the identity of public key is 
presented in our scheme. In both schemes public key is 
quantum one and its identity should be authenticated 
when the message sender received it from Trent (or a 
key-distribution center, i.e. KDC, called in Ref. 11]). 
This is a crucial point for the security of whole QPKC 
system. However, authentication is still an open question 
in GMN scheme because of the complexity of the public- 
key states. In our scheme this problem is resolved from 
two aspects. On the one hand, the decoy-states detection 
is utilized to protect the public-key qubits from being at- 
tacked by Eve. On the other hand, because the key qubits 
are from the same Bell state ]$''"), entanglement purifi- 
cation and quantum privacy amplification can be easily 
performed on them in the sense that they are existing 
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technologies for Bell states [l^, [2^ HO] • Through these 
manners high-fidelity Bell state can be finally obtained 
even under a noisy channel, or equivalently, the state of 
public key can be authenticated. On the contrary, the 
public-key states are different from each other and even 
unknown for the message sender in GMN scheme, which 
makes it very hard to perform quantum privacy amplifi- 
cation on them. 

3. The state-estimation attack is invalid for our 
scheme. In GMN scheme, as discussed in Section II, 
Eve can estimate the state of public key by measuring 
multiple copies of them, and then obtain much informa- 
tion about the plaintext. However, in our scheme any 
two qubits from different public key belong to different 
EPR pairs and there arc no correlations between them. 
Even though the same qubit is reused in subsequential 
encryption, it is independent with itself in previous us- 
age because its state is identified in the process of re- 
cycling. As a result, Eve cannot get more useful infor- 
mation from multiple public key than that from one. In 
fact, as pointed out in Section IV, no one can obtain a 
copy of private key (or qubits with which Eve can cor- 
rectly decrypt a certain ciphertext) from the public key 
without introducing disturbance. This is guaranteed by 
fundamental laws in quantum mechanics. 

4. The keys can be reused and refuelled whenever it is 
needed. 

We have to confess that, apart from above features, 
there is also a disadvantage of our scheme. That is, pri- 
vate key consists of qubits in stead of bits as in GMN 
scheme, which presents a burden to the user to store 
them. However this is not a fatal problem because quan- 
tum storage seems necessary in a QPKC system. For 
example, many copies of public key must be stored by 
Trent or KDC for a long time. 

One may argue that our scheme does not look like a 
practical PKC system (e.g. any familiar conventional 
PKC such as the famous RSA scheme) for the following 
two reasons: 1. Some QKD-like strategies for eavesdrop- 
ping detection are used to guarantee the security; 2. It 
uses symmetric keys. We emphasize that all these facts 
have their roots in the quantum nature of QPKC. Now 
let us give further interpretations about above two ques- 
tions. 

1. As we know, the quantum-mechanical nature of 
qubits renders eavesdropping detectable, which is the 
root of the unconditional security of quantum cryptogra- 
phy. To obtain this advantage in a quantum protocol, an 
eavesdropping-detection process is absolutely necessary. 
It is also the fact in QPKC. For example, in a QPKC 
system the public key, generally composed by qubits ^44*1 , 
must be authenticated after the transmission in a public 
channel. Otherwise Eve may correctly decrypt the cor- 
responding ciphertext by a prior attack on this key (e.g. 
replacing it with her own qubits or entangling ancillas 
into it). Therefore, we have to introduce some QKD-likc 
strategies to protect the security of the public key, which 
exactly reflects the essential characteristic of quantum 



cryptograph. On the contrary, the classical public key in 
RSA scheme can be easily authenticated by conventional 
technologies such as digital signature Q • Note that there 
is no such strategies in GMN scheme because the content 
of public-key authentication is not contained in Ref. pT| . 

2. By choosing Bell-state qubits as the keys we initially 
intended to avoid the state-estimation attack as in GMN 
scheme. In fact Bell states have a special feature which is 
suitable for QPKC. That is, these states can be authen- 
ticated by existing technologies (especially entanglement 
purification and quantum privacy amplification), which 
is an important issue in QPKC but still not resolved in 
the previous scheme. We know that people can never 
use equal keys in a conventional PKC system because 
in this condition anyone can get the private key just by 
replicating a copy of the public key, and then decrypt 
all corresponding ciphertexts. Thus we really need to 
design two different keys so that Eve cannot obtain the 
private key from the public one. However, in the quan- 
tum circumstance, things go very differently. On the one 
hand, quantum no-cloning theorem does not allow the 
replication of qubits any more. On the other hand, the 
authentication of public key is necessary in QPKC and, 
at the same time, whenever the authentication is suc- 
cessful it generally ensures that Eve cannot read any in- 
formation from public key. In this condition, therefore, 
we have no need to design two different keys any more. 
That is, equal keys are competent for QPKC. In fact we 
have shown that it is feasible to use symmetric keys in 
QPKC system, which touches on the very nature of the 
quantum state. 

In conclusion, as a subsequent study of Ref. [ll|, we 
gave a new elementary idea for QPKC and constructed 
a whole theoretical framework of a QPKC system. It 
was shown that symmetric keys could be used in QPKC, 
which is quite different from that in conventional PKC. 
The security and features of this scheme were discussed. 
In addition, a possible attack to GMN scheme was 
demonstrated. Combining the unconditional security of 
QKD and the significant flexibihty of PKC, QPKC has 
been an expected goal of the scholars in the field of quan- 
tum cryptography for a long time. But to design a prac- 
tical QPKC scheme, or alternatively, to demonstrate its 
feasibility, is still a difficult work. This study can be seen 
as a step towards this direction. 
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